Slashdot Mirror
Ex-SF Admin Terry Childs Gets 4-Year Sentence
Robert McMillan writes "You remember Terry Childs, right? He was
finally sentenced Friday. Childs got four years in prison for refusing to hand over passwords to his bosses. This is a denial of service under California law."
Now that he's been sentenced, does this mean that more accirate details about the case will finally come to light? A lot of what I've read seemed to be mostly hearsay with hard facts hard to come by...
cat:
Especially when you read the story of one of the jurors who has a CCIE (http://www.networkworld.com/news/2010/042910-terry-childs-juror-explains-why.html). This wasn't a case of some PHB demanding access to something he shouldn't have. This was a case of an egomaniac sysadmin trying to make himself irreplaceable by locking everyone else out. When called on this he refused, bluffed, and finally lied.
For me, the lying part is where it clearly went to criminal levels. I suppose some of the other things he did (like store the WAN config only in memory, not saved to flash and keep the only backup on his laptop) could possibly be justified as just being paranoid and poorly educated in actual security practice. However when he gave his supervisors false passwords, lied to them, to me that showed clearly that he knew he was in the wrong. He knew he was supposed to give up the passwords but wouldn't.
Hopefully it'll be a lesson to other sysadmins to consider that at work, the computers are not yours. They don't belong to you. They belong to the organization you work for. Part of that means the origination gets to decide who has access. You can (and should) have input in to that, and should make sure it is all documented, but ultimately the systems belong to them and you need to do as they say.
As IT workers, our job to is provide service, not prevent it. We need to do what we can to ensure people can get what they need. It is a service industry, like it or no.
I know I just just skip past this comment, but I do wonder why so many people on here seem to think being raped is funny. You might think the guy did wrong; you might also think that justice has really been served, and hey that's your right, we're all allowed an opinion. But he's not some big-in-the-game criminal that destoryed people's lives, so I really fail to see why joking that he should keep his arse to the wall is at all funnny.
cat:
Agreed. America is supposed to be a civilized country. Why would anyone believe that it is appropriate to allow prisoners to be raped by other prisoners?
People joke about this and even seem to hope that it happens. This is disgusting and wrong. We have Enlightened articles about cruel and unusual punishments. Prison is supposed to be a loss of freedom, not a loss of basic human rights.
Hoist Number One and Number Six.
He will likely do only 6 months of actual jail time and he can declare bankruptcy to avoid the $900K claimed by the city. By this time next year, he can exercise his control freakery at KFC protecting the Colonel's secret recipe.
This just goes to show how asinine most "anti-hacking" laws are. Most were written in the 1980s during a big moral panic about "hackers" bringing down the telephone network, corporate networks, and western civilisation as we know it. You can very easily get more time in jail for, what most would consider a prank, than for rape or other violent crimes.
It is interesting that in this case Terry Childs did very little actual damage but got 4 years. In fact more damage was done when the prosecutor decided to publish a list of working passwords for the cities computer network. Just goes to show the kind of technophobic old people working in the city offices and in law.
I know this sounds very arrogant, but I would love to see trials change so you're actually judged by your peers instead of members of the public, so for example doctors by doctors, network admin by other network admin, and such. That way you can get a bunch of people who know how far this person has stepped out of line.
Just for clarity, what Terry Childs did was wrong - but he certainly didn't deserve jail. Even if he did deserve jail he already spent a year inside before the trial (for some ungodly reason) and that was more than enough time served for this. The only reason they kept pushing this is to avoid the huge lawsuit if they failed to get a sentence longer than the time he already spent inside.
A policy should have been in place that defined who the business owner (management) of the resource was (network in this case). It is the responsibility of management to ensure that they define who has a business need for access (and have it documented), and it's the responsibility of the tech grunt to run the system (or network) for the business owner.
The key point is that as a non-manager type person, if management says jump, get it in writing and jump. Management is ultimately responsible for the system and network to the business. If management has made bad choices or decisions, it's their fault and if the request or actions leading up to the failure are documented, that admin can refer to that.
All organizations should at least have a documented policy of who can have access to resources and that the business owner of the resource can be easily determined. The business owner needs to be someone who is legally responsible to the organization (i.e. an executive, or someone high enough in management).
As a system administrator, you should insist on having this documented just to protect yourself. If you suspect that there is some management decisions that could jeopardize the operation of the system, document it, report it to the business owner and let them make the final decision (with documentation).
In the case of Terry Childs, had this been documented, he would have been able to either say that the person who was requesting the passwords did not have a business need (and would be able to back that statement with documentation), -or- if the person did have authority to have access, he could have simply have documented why it was a bad decision, hand the passwords over and walk away from it.
Yes there is a pride element. You've spent years building up a system and making it shine, but unless you are running your own business, you are not the legal owner of that system.
People joke about what they are scared of.
You are entitled to your own opinions, not your own facts.
Now ideally this is in the form of someone else having access, or there being a central password store. Read in to the Childs case and indeed there was a place where passwords were supposed to be stored and he didn't do it. However even if that's not the case, you have to relinquish the passwords when you leave. If you are the only one with the root password, you have to hand it over (or change it for them or whatever). Same shit as your keys, when you leave employment, you have to turn in your keys.
You don't have to help them figure anything out, but you are not allowed to lock them out of their own systems. If you cannot see the difference, you are being deliberately blind.
Now ideally this is in the form of someone else having access, or there being a central password store. Read in to the Childs case and indeed there was a place where passwords were supposed to be stored and he didn't do it. However even if that's not the case, you have to relinquish the passwords when you leave. If you are the only one with the root password, you have to hand it over (or change it for them or whatever). Same shit as your keys, when you leave employment, you have to turn in your keys.
You don't have to help them figure anything out, but you are not allowed to lock them out of their own systems. If you cannot see the difference, you are being deliberately blind.
You and I may see the difference, but can your luddite boss and his luddite lawyer? You might think that laws and court rulings are based on responsible understandings of the facts, but then you would be wrong.
Hoist Number One and Number Six.
Making jokes the way Americans do about "pound me in the ass prison" indirectly condones the fact that such a prison system exists. Heck, how many tv shows have a cop quickly whispering into the ear of the just arrested (and hence not convicted eg innocent) perp about what's going to happen to him in jail?
People replying to my sig annoy me. That's why I change it all the time.
Mr. Childs DID have a peer (or more realistically a better) on his jury. One of the jurors has a CCIE and works in network. See http://www.networkworld.com/news/2010/042910-terry-childs-juror-explains-why.html for the details. Also remember that it takes only one juror for a mistrial. All jurors have to agree for a conviction.
The problem is that he flat out broke the law, and it was pretty obvious he knew he was doing wrong, he just thought they couldn't touch him. He had become infected with the sysadmin diesase of thinking that he owned the systems and could do as he pleased, and that he could make himself indispensable.
So sorry, but don't try and pass this off as "stupid jurors." The man had someone with the peak of network training sitting on his jury.
If things aren't well documented at your work, push to get them documented. This is better for everyone involved. Have it clearly spelled out who can have access to what and under what circumstances.
For example where I work, the policy is that all shared passwords have to be kept in a safe that my boss has. Under normal circumstances, he is the only one with access. I don't know the circumstances that someone higher up can get access, since that really isn't my problem. However it is all well laid out. So long as my boss keeps the passwords there, he's in the clear.
So if you are in a situation where you are one of the few, or the only person, with access to something critical, make sure it is done right. Check and see if there is a policy and if so follow it. If not, work to have one created. It'll keep you in the clear and make everything much easier. You then don't have to ponder "Should this person get access," you have a policy that states it.
From a purely ethical standpoint, he wasn't very. As for a four year sentence given the nature of the crime, personally I think that's incredibly absurd and yet equally indicative of the judicial system in the US.
Well I'm just not sure how to respond to such obstinance. There is plenty of information out there as to why the jury voted as they did and what law was broken and so on. If you are unwilling to read and understand that, I can't help you. Some people just want to be paranoid, I guess.
Also this "Luddite boss" thing really reeks of ego mania. Far too many sysadmins think they are the Smartest Motherfuckers in the Universe and that there is no way their boss could possibly understand any of this because he's not as good at tech. Turns out that's often not the case, a manager may understand technology and more important the limits of their own knowledge about technology just fine. They may well be an intelligent individual, just with some different skills than yourself.
I'm not saying some aren't dumbassess, but then so are some sysadmins. I'm just saying this attitude of "Only tech people can possibly understand," is extremely arrogant.
The network for the city of San Francisco will now be managed forever by an outsourced company with a phalanx of lawyers. No single individual will ever accept the liability of the clusterf@&! which is San Francisco bureaucracy. The cost of this trial is minuscule to the ongoing costs which will be incurred paying for outsourced network overhead.
Every mans' island needs an ocean; choose your ocean carefully.
It isn't about PASSWORDS it is about ACCESS. He had sole access to some systems, including some very critical ones. He wouldn't turn over access. In some cases, this would have meant creating accounts for other people. In other cases, this would have meant handing over the password. Remember that some things like root or enable have only one password.
So the issue wasn't that he wouldn't give up his own personal password, the issue was that he was denying the rightful owners of the systems (the city) access to those systems.
Also please note this all started way before he got canned.
On the other hand, I rather doubt that refraining from making the jokes would lead to imminent abolition or reform of those institutions.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
America may be civilized in the broadest sense of the term, but it is anything but civil. When you have a "civilization" where keeping people imprisoned is a $40 billion a year industry, and prison wardens allowing criminal activity inside their institutions as a cost-effective means of self-policing, you're going to have people getting raped and your going to have people coming out of prison much worse off than when they went in.
"Turned Out" is an interesting and disturbing documentary about the dynamic of prison sex and rape http://www.youtube.com/watch?v=M4_uvvcaDqw
I'm just saying this attitude of "Only tech people can possibly understand," is extremely arrogant.
It's also bad engineering. If the system is so fragile that you're the only one who can work on it, then you're doing a bad job. What if you get hit by a bus? What if you decide to quit so you can accept your dream job? Whatever you build should be (at least mostly) maintainable by any other average practitioner with similar credentials.
This.
The people who really ought to be having a miserable time in prison get a free pass to carry on tormenting and hurting other people for their own amusement. Other people who have nowhere to escape and nobody to turn to for help.
No sig today...
The problem isn't the joke, the joke is fine. The problem is that it's really going to happen, that we all know it and that we do nothing about it
No sig today...
The process of "being fired" does not end your responsabilities with you stopping to work and going out of the building. It ends only when you :
1) gave back all physical object the firm loaned to you within the execution of your work (laptop, cars, etc...)
2) gave back all access key in your possession (be it physical, RSA keys, or electronics)
3) gave back all financial access you had to (firm credit card for example), and I may pass a few others.
If you do not think so, you are a "terry child in waiting", as in, risk prison if you think you can skimp on your responsability. being fired don't mean you can keep stuff from the firm, be it unique key knowledge (like passwords), or physical items.
It actually pretty dumb to think so. About as dumb as somebody keeping a laptop at home after being fired.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Is assault & battery funny? Of course not, but it is when the Three Stooges did it. Is gun violence funny? No, but we laugh when Yosemite Sam does it. Bad things are funny. Really bad things not so much, and there's no real objective way to draw that line, but something like a male criminal getting it in the pooper...well, pretty overdone, not too funny, and in the end you would hope it doesn't happen as the punishment would be nowhere near close to fitting the crime (I would certainty hope they're not holding him with violent criminals who would do that sort of thing), but I don't get all the righteous indignation over merely mentioning it in some sort of attempt at humor.
correct, but you're supposed to keep all of the others. Also, you're not supposed to have them in a manner which is entirely notional because you don't have the means to force the issue (see restricting prisoners access to the courts).
FGD 135
Have you had to deal with many PHBs? Corporations are full of them, and most I wouldn't trust to install XP without fucking it up. True story- I used to have lunch and do hired gun work for an old Linux sysadmin named Glenn. Classic gruff sysadmin that really knew his foo. He told me about how he had to miss our lunches the week before because he had to deal with the PHB put in charge, ended up being drug all the way to regional headquarters and threatened with firing, and for what? And I quote "You have NO RIGHT to block my emails from Melissa! Who I speak with is NONE OF YOUR BUSINESS!" That's right, he was nearly fired for refusing to let the Melissa worm loose on the network. lucky for Glenn the regional guy wasn't a retard and had actually kept up on what was then current events, so he turned to Glenn and said "Is he talking about the worm? You're kidding, right? You told him it was a worm, right? I got drug out of a meeting...for this?" and then proceeded to give the PHB a real bitching and gave Glenn and his wife a steak dinner on the company.
So I've learned NEVER underestimate the stupidity of a PHB. I've dealt with PHBs that would sticky note passwords all over the damned place, but God fricking forbid they don't have access to a password because that's YOUR ass. That is why I gave up dealing with corporate and instead run my little shop. The pay isn't nearly as good but I don't feel like bashing my head against a wall several times a day either. While I agree that he should have handed over the passwords I too worry about where exactly does a job officially end legally with this precedent. What if you hand over the passwords and your setup is too complex for the moron the PHB hires? Can YOU basically be forced to come in and train the moron or be blamed with network "tampering"? If it is one thing we have seen with the courts, common sense rarely plays a part. Also 4 years is total bullshit, I've known guys that have damned near beat someone to death in a fight that got less.
ACs don't waste your time replying, your posts are never seen by me.
I am very critical of Terry Childs actions and think, that those can at least be interpreted as criminal act. But 4 years for such a bagatelle case? What do you do with a real criminal? There was a lot of incompetence on the city side walking around which enabled such a situation. I think he was afraid of loosing his job and overstepped his legal options. But what do you do who does this to steal money or with the intent to cause damage? Shoot him?
People who drive under the influence of alcohol and kill someone get away with less.
I think the punishment is out of proportion.
CU, Martin
Here's an interesting deconstruction of the idea:
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Not exactly true.
If you happen to have keys to company doors on your keyring, you are required to return them. If you happen to have been given a company car, you are required to return it.
Just because you have been fired does not mean that you are free to keep whatever company property you may have in your possession. The question then becomes whether passwords are considered company property.
Also, as pointed out elsewhere... An administrator that had so little common sense as to not plan for his untimely demise (as in others already have those passwords should he suddenly die), should really be considered as nothing more than a bumbling fool by real professionals.
And yes, I believe most people would consider any code or other work-product on your computer but not yet committed to source control as company property (they already paid you for providing it) so you must help them access it. Yes, most company network admins can do this with their accounts and that can be considered good enough.
Prisoners rape each other, commit assault against one another and occasionally murder each other. Extortion is even more prevalent than rape in US prisons, because it is also present in minimum and medium security prisons. You can scream and shout about how all of this violates human rights you want. And claim that we are turning a blind eye to a problem. But it is simple really, we do not have the capacity to imprison and monitor so many people. We've overloaded our prisons and understaffed them. We've lost control over our prison population and at this stage we're just trying to keep them from escaping or murdering each other too often, with only limited success.
If you have go to an American prison you'll just have to get used to violence, and tolerate things like rape to survive (although it is quite rare in a minimum security prison). Pretend you're taking a vacation to some lawless country.
“Common sense is not so common.” — Voltaire
The answer to your question is that most people don't believe that prison rape is appropriate. Nor is it sanctioned under our law. It is a crime in every state, but where you have a concentration of criminals, you have a concentration of crime. Prison rape is not inevitable (except in movies). "Only" about 2% of prisoners in the US are raped.
That rate climbs over 10% when you are talking about juvenile prisoners -- boys -- who are incarcerated with adults. This is about the same rate of sexual assault perpetrated at juvenile detention facilities by staff (12%), but in adult prisons involves a much higher chance of HIV transmission. The rate in juvenile facilities also includes coercive but less violent abuse (e.g. threatening to extend the prisoner's sentence if he does not engage in sex acts). In any case Mr. Childs is unlikely to be raped in prison given his age and the type of facility he will likely be in.
I should point out that the prison rape figures are still alarming, especially serious given the extraordinarily high rates of incarceration we have in the US, especially of children. About 3/4 of a percent of the US population is in prison, by far the highest rate in the world.
I bring the juvenile issue up because surely this is a litmus test of barbarism. Proponents of more frequent and longer prison sentences often advocate trying juveniles in adult courts. However they do not (saving anonymous Internet fruitcakes) argue that sexual assault of child offenders is something that ought to be sanctioned. I have certainly met a few rare individuals who believe that rape is part of the "cure", but I don't think many law and order advocates endorse this view -- at least not in public. I'd say that their attitude to this problem is more one of indifference. All things being equal most would rather it didn't happen, but they consider it a tolerable problem if the apart from that public safety and justice for victims are promoted.
The argument advocates typically make is that the public good is served by removing criminals from society. In the case of transferring youth to adult prisons, it is also asserted that they will receive longer sentences, keeping them off the street longer, and that the harsher conditions in adult prisons will "scare them straight". There is intuitive appeal in these positions, but they are not confirmed by studies of states where juvenile "transfer" laws have been passed. Juvenile crime rates have not dropped relative to states not having such laws, so it is probable that not enough youths are removed from the streets to make a difference. While sentences in the adult system are indeed longer, time actually served is not, and when released youths who have been spent time in adult prisons actually re-offend at a higher rate. However, even where it can be shown that juvenile transfer laws don't keep young offenders off the street longer, expose them to prison rape, and discharge them with higher rates of recidivism and sometimes HIV, I would not expect such laws to be repealed. People want these laws to work.
This brings me back to the question of why the problem of prison rape is so much larger in the US than the rest of the civilized world. The appalling things that happen in US prisons (particularly to young people) aren't a sign of intentional barbarism in US laws. Nor are they a sign of the barbarism of Americans as a whole, although we certainly have our share of law abiding citizens who are depraved enough to enjoy the prospect of prisoners being raped (some states more than their share).
These abominations are the result of a culture that values problem solving, even in the case of problems that are unsolvable. When we are faced with a problem that must be managed rather than solved, we still look for a solution. If a rationally defensible solution evades us, we look for a dramatic action to take. In such cases a harsh action seems plausible to us, even if it costs a tremendous amount of money (as our huge prison systems do).
T
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
And you're leaving out the fact that Childs had CC'ed the person asking for passwords a week earlier, on an email containing a list of usernames and passwords that he had set up. What changed in the intervening week, where the guy who you claim "wasn't authorized to have them, by city policy" was deemed an authorized user by Mr. Childs, and the day he was fired, when suddenly Mr. Childs decided he wasn't authorized?
For all the people claiming that giving out passwords constitutes "working for free after you've been fired," stop and consider this: what constitutes more work - saying (or writing) down one sentence - "The password is XXXXXXXXX", or enforcing your version of an employers' security policy for them after you've been let go ? Less than 10 seconds of writing or speaking, versus a 4 year jail term, and years spent in courts over a ridiculous semantic issue?